In a packet-switching network, the transmission, routing, forwarding, and the like of messages between the terminals in the packet-switching network are broken into one or more packets. Associated with each terminal in the packet-switching network is a unique terminal address. Each of the packets of a message comprises a source terminal address, a destination terminal address, and a payload, which contains at least a portion of the message. The source terminal address is the terminal address of the source terminal of the packet. The destination terminal address is the terminal address of the destination terminal of the packet. Further, each of the packets of a message may take different paths to the destination terminal, depending on the availability of communication channels, and may arrive at different times. The complete message is reassembled from the packets of the message at the destinations terminal. One skilled in the art commonly refers to the source terminal address and the destination terminal address as the source address and the destination address respectively.
The packet-switching network employs packet switches for forwarding the packet. A conventional N-port packet switch comprises N network ports, an N-input N-output packet switch fabric, and an address table; where N is a positive integer greater than or equal to three. Each network port comprises a network in port and a network out port. FIG. 1 is a simplified logical diagram of a conventional 3-port packet switch. Referring to FIG. 1, a first network port comprises a first network in port 101 and a first network out port 201. A second network port comprises a second network in port 102 and a second network out port 202, and a third network port comprises a third network in port 103 and a third network out port 203. The network in ports, including for example, the first network in port 101, the second network in port 102, and the third network in port 103, receive ingress packets.
The network out ports, including for example, the first network out port 201, the second network out port 202, and the third network out port 203, transmit egress packets. In operation, a network port is linked to and in communication with a set of terminals in the packet-switching network. The source addresses of the ingress packets received at the network in port of the network port are the terminal addresses of these terminals.
The conventional 3-port packet switch analyzes the ingress packets that each network port receives through its network in port. Further, the conventional 3-port packet switch records the source addresses of the ingress packets received at each network port and associates the source address of each ingress packet with the network port that received the ingress packet in address table 2. Therefore, address table 2 contains the terminal addresses of the active terminals that are linked to each network port, and each terminal address in address table 2 is associated with the network port that links to the terminal with the terminal address. The terminal addresses associated with each network port are removed from address table 2 according to a predetermined strategy commonly referred as the aging function. There are numerous methods available for associating a network port of the packet switch with the terminal addresses in address table 2. Examples of these methods include, but are not limited to, explicitly associating the network port with the terminal address by recording the terminal address and the identity of the network port that is linked to the terminal as an ordered pair in address table 2; and implicitly associating the network port with the terminal address by recording the terminal address in a designated area in address table 2 that is reserved for the network port. In a representative conventional packet switch, address table 2 resides in the memory of the packet switch.
Network in ports 101, 102, and 103, and network out ports 201, 202, and 203 are in communication with the corresponding inputs and outputs of packet switch fabric 1. Packet switch fabric 1 examines the destination address of each packet it receives from its inputs through network in ports 101, 102, and 103; and looks up the identity of the network port that associates with the destination address of the packet in address table 2. If the destination address of the packet is in address table 2, packet switch fabric 1 routes the packet to the network out port of the network port that is associated with the destination address through one of its outputs; otherwise, packet switch fabric 1 broadcasts the packet to all its outputs.
To explain the operation and features of a conventional packet switch, refer now to the following discussion in conjunction with the accompanying figures.
First, Ethernet packet switch formats will be discussed.
Ethernet Packet Formats
Packet switches have a series of IEEE standard enhancements. Originally a packet switch did not have a virtual local area network (VLAN) and its operation was governed by the IEEE 802.1 D standard. This standard specifies MAC address learning and how to forward packets based on the MAC address table.
Then the IEEE 802.1Q standard specifies VLAN and the protocols and functional requirements of a VLAN packet switch. The IEEE 802.1 Q standard can be viewed as an enhancement of the 802.1 D standard. The most critical aspect of VLAN packet switching is the introduction of the VLAN tag and how to switch a packet based on not just the MAC address but also the packet's VLAN ID. Using a VLAN has become so common in packet switches that the support of 802.1Q is expected.
1. Original Ethernet packet (802.1D frame)
FIG. 2 illustrates a traditional Ethernet packet, where: DA: Destination MAC address (6 octets); SA: Source MAC address (6 octets); Length/Ether Type: (2 octets). When the value of these 2 octets is greater than 1536 decimal (0x0600 hex), then this field is interpreted as Ether Type. The Ether Types are obtained from the IEEE Ethertype Field Registrar (http://standards.ieee.org/regauth/ethertype/eth.txt). FCS is the four octets CRC checksum.
2. Ordinary VLAN Ethernet packet (802.1Q frame)
FIG. 3 is a VLAN Ethernet packet. Here 4 octets are added to the original Ethernet frame. Two of the octets are for Ether type and two are for the tag. The value of the first Ether Type is 0x8100 to indicate this is an IEEE 802.1Q VLAN tagged packet.
The two bytes (altogether 16 bits) of the VLAN tag are arranged as shown in FIG. 4. Since there are at most 12 bits for the VLAN ID, there can be at most 212=4096 possible values. However, the value 0 means no VLAN ID and the value 4096 is reserved. Therefore there can be 4094 VLAN IDs.
3. Double-Tagging VLAN Ethernet packet (IEEE 802.1 Q-in-Q)
FIG. 5 shows four more octets added to the 802.1Q frame. The format of the newly added 4 octets is exactly like the format of the previous four octets. The so called double tagged VLAN ID is the VLAN ID in the first VLAN tag.
To further understand-the operation and function of the packet switches refer now to the following discussion in conjunction with the accompanying figures.
There are two kinds of packet switches. They can be classified as unmanaged versus managed. The unmanaged packet switch does not need a CPU because everything on the switch is pre-configured. These unmanaged packet switches are generally low-end switches because they offer very limited flexibility and provide no information such as packet statistics to the user. These chips usually do not have the MAC and PHY blocks integrated and therefore the PCB board manufacturer has to put MAC and PHY chips with the packet switches in order for the whole system to work. Accordingly it is desirable to provide more flexibility in a switch for most applications. Therefore for most applications a managed packet switch is desired.
A managed packet switch includes a CPU interface where a processor, typically embedded on a PCB board together with the switch, can control the switch through a plurality of registers. The managed packet switch offers more functionality than the unmanaged switch, such as the ability to prioritize the sending out of packets so that the important packets leave the switch first after coming in. Furthermore, high-end switches support 802.1 Q-in-Q double VLAN tagging and are integrated with the MAC and PHY blocks.
As before mentioned packet switches are utilized extensively in networks; however, they present problems when trouble shooting a network. To describe the problems with packet switched networks during troubleshooting refer now to the following description in conjunction with the accompanying figures.
Conventional Network Monitoring Systems
FIG. 6 shows the traditional way of deploying instruments such as sniffers, intrusion detection systems (IDS), intrusion prevention systems (IPS) and forensic recorders on a packet switched network. In the conventional network monitoring system 600, the Internet 602 is coupled to a plurality of routers 603a and 603b, sniffers 604a to 604d, IDSs 606a and 606b, and a forensic recorder 608. In the present application, the term “instruments” is used for referring to the sniffers 604a-d, RMON (Remote Monitoring) probes (not shown), application monitors (not shown), IDSs 606a-b, and IPSs (not shown). There may be other kinds of instruments available in the market but the general characteristic is that, through these instruments, the user can perform certain monitoring, trouble-shooting or security activities over their network.
Note that multiple sniffers 604a-d and IDS 606a-b units are needed, and that the forensic recorder 608 can only monitor the conversation over one IP phone 610a, 610b or 610c via the span port of a switch 612. Overall the cost of ownership is high and the equipment takes up much space.
Network monitoring and trouble shooting is done by using a network analyzer or a monitor such as a sniffer 604a-d or a RMON probe on additional points in the network 600. A sniffer 604a-d can monitor the statistics of the packet traffic as well as capturing the packets. A RMON probe only monitors the statistics of the packet traffic.
The following lists the drawbacks of conventional network monitoring:
1. Both the sniffer and the RMON probe are expensive devices. The price of a typical Gigabit Ethernet sniffer is in the $15K range.
2. There are not that many monitoring ports available per unit, making the cost per port ratio extremely high. This situation is worse if the user has an extensive network that spreads over broad geographical locations, such as over several floors in a company building. In order to cover all the strategic sections of the network, the user has to install a sniffer or a RMON probe at every strategic section, making the cost of ownership extremely high.
3. More importantly, the user still cannot get an aggregated, simultaneous view of the traffic going through the different segments. This is particularly important after the introduction of Voice over IP (VoIP), where the voice packet traffic of a conversation may travel over multiple network segments simultaneously before reaching the user at the other end of the conversation.
4. Most network monitoring devices, protocol analyzers and RMON probes do not have hardware filtering capability. Instead, they use a CPU to filter packets through software. This imposes a filtering throughput restriction. This restriction is particularly problematic when filtering at line speed on high speed links.
5. Network visibility has decreased since the introduction of a packet switch. Before a packet switch, hubs were used. When hubs were used every port in the hub shares the same medium. Therefore every port can see the traffic at every other port. With this arrangement, network monitoring and trouble shooting is relatively easy because all the user needs is to plug in an instrument into one of the hub ports and visibility to all the traffic inside the hub is obtained.
However, because every port sees the traffic of every other port, a hub utilizes a significant amount of bandwidth. The problem of bandwidth usage leads to the use of a packet switch in a network. Through a MAC address learning and forwarding mechanism, a switch forwards a packet entering one port to out of another port without letting the other ports become involved. However, this becomes problematic for network monitoring and trouble-shooting because no matter which port in the switch the user plugs the sniffer into, the sniffer cannot see all the relevant traffic in the network.
To compensate for this, switch vendors provide a span port (or mirror port) where the user can configure the switch to mirror the traffic of a particular port or at most a few ports out of the span port. This is somewhat better but the network visibility is still not as good when compared with using a hub.
Another drawback of using a span port is that one user of the switch may alter the span port settings created by another user without letting the other user know. For example, in a company the network security people may use the span port to look at traffic at port X, and then in the middle of the night the IT people may come and change the span port settings to look at traffic at port Y. Though a lot of times this is not intentional, mistakes do occur and this may lead to severe negative impacts.
One way to work around the limitations of a span port is to buy an external tap where the network segment is tapped and a copy of the traffic is sent out to a sniffer or a RMON probe. The drawback of this is that there is another layer of infrastructure that the user needs to set up, increasing the cost of ownership as well as taking up valuable space in the IT area.
There is a variant of sniffer called the distributed sniffer system. In essence the user deploys multiple sniffers (called distributed sniffers) at key segments of their network. Each of these distributed sniffers has an IP address whereby a PC running special console software can access each of them via the users' existing network. This solves the problem of having the IT person running around the company with a sniffer box but it has several drawbacks. First, these distributed sniffers do not stream the monitored or captured packets to a centralized location. Rather, the statistics are collected locally and the packets captured are stored locally. When the user connects to a distributed sniffer unit remotely from a console, the statistics and the portion of packets that the user wants to see are then sent over a network (usually the user's network to be monitored) to the console.
Second, there is no real-time aggregation of packets collected over multiple network segments to a central area and this is not helpful for VoIP monitoring and trouble-shooting. It is also very expensive to overlay a separate network just to connect all these distributed sniffer units. Therefore most commonly the statistics and captured packets from a distributed sniffer unit are sent over the user's existing network to the PC running the console software. This utilizes a significant amount of bandwidth of the user's network.
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are key elements in network security monitoring and network attack prevention. An IDS is a passive device which monitors the network traffic for suspicious activities and, if evidence of suspicious activities is found, informs the user. An IDS may also sends out packets back to the network for controlling a specific network element, such as performing a TCP reset on a router. An IPS is an active device in that it sits in the middle of the traffic and can block suspicious packets as well as sending its own packets to fool the intruder. The network traffic that is allowed to pass through an IPS goes back to the network. In any case the deployment of IDS or IPS presents the same set of problems as with the deployment of network monitoring devices (see items 1 through 4 above).
Accordingly, what is needed is a system and method for allowing for improved networking monitoring in a network that has packet switches. The system and method should be compatible with existing packet switches and easily adapted to a network environment and should be cost effective. The present invention addresses such a need.